Mozilla Foundation Security Advisory 2010-51

Dangling pointer vulnerability using DOM plugin array

Announced

September 7, 2010

Reporter

Sergey Glazunov

Impact

Critical

Products

Firefox, SeaMonkey, Thunderbird

Fixed in

Firefox 3.5.12

Firefox 3.6.9

SeaMonkey 2.0.7

Thunderbird 3.0.7

Thunderbird 3.1.3

Description

Security researcher Sergey Glazunov reported a
dangling pointer vulnerability in the implementation
of navigator.plugins in which the navigator
object could retain a pointer to the plugins array even after it had
been destroyed. An attacker could potentially use this issue to crash
the browser and run arbitrary code on a victim's computer.